What is the best way to manage SCCM in 2 seperate forest?Dkozlowski@kai.com

http://technet.microsoft.com/en-us/library/bb694003.aspx

Primary site in each is easiest. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

Hi, See basic steps below: Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server. For these clients to be managed, you must ensure that alternative methods are available for the following: • Site compatibility check to complete site assignment. • Service location for management points, and the server locator point if this is not directly assigned. • Native mode configuration (Optional). We have two domains in diffrient forest, first domain call primary.local domain and this domain will contain SCCM Server, 2nd domain is Domain.com which contain clients that should be managed by SCCM in Primary domain. To successfully deploy CCM client and allow SCCM server to manage multiple AD forests, we should do the following configuration: 1- Configure Boundaries correctly to allow SCCM client agent distribution to clients which are located in 2nd trusted domain. 2- Configure Push Installation method switches in the client installation properties to allow clients in 2nd domain to find SLP. 3- Configure Discovery method to allow SCCM Server to discover 2nd trusted domain. 4- Add Server Locator Point “SLP” to SCCM site system role. 5- CCM Admin account should be local admin for client computers in 2nd domain. 6- Publish SLP Manually in WINS for 2nd trusted domain. 7- Enable WINS on the client PC's in 2nd domain. 2.Configure Boundaries In Normal scenario it’s recommended to Active directory Site as boundaries to install CCM Client, but in this case all computers which is located in another forest will not be able to receive CCM client agent from SCCM Server. In this case we have to configure “IP Subnet” or “IP Address Range”, to allow Clients in 2nd domain to receive client agent. 3.Discovery method: In normal scenario, it’s recommended to enable “Active Directory Site System” and select Local domain, but this settings will discover only MOWASALAT.LOCAL domain. To discover 2nd domain name we have to make sure that sure Active Directory System discovery is configured with LDAP://DC=domain,DC=COM LADP path. Then run discovery and check adsysdis.log to confirm if it is able to search the domain in other forest. LDAP Query: LDAP://DC=domain,DC=com 4.Add Server Locator Point: Server locator points are used in a Configuration Manager 2007 hierarchy to complete client site assignment on the intranet and help clients find management points when they cannot find that information through Active Directory Domain Services. So we need to add Server Locator Point to Site System role. 5.Configure Push Installation method switches: It would also help if you add the following switches in the client installation properties, especially SMSSLP switch as clients in the other forest won’t be able to find SLP in their forest. DNS and NetBIOS Name resolution should work between forests for this to work. Switches: SMSITCODE=S01 SMSMP=SRV-SCCM01.Primary.com SMSSLP=SRV-SCCM01 FSP=SRV-SCCM01 6.Publish SLP Manually in WINS: To resolve this issue, manually add an SMS_SLP record and an SMS_MP record to the Windows Internet Name Service (WINS) database. To do this, use one of the following methods, depending on the operating system that you are running: To manually add the SMS_SLP and SMS_MP records to WINS in Microsoft Windows Server 2003 for 2nd domain, follow these steps: 1. Click Start, click Run, type cmd, and then click OK. 2. Type the following commands at the command prompt, and then press ENTER after each command: o netsh o wins o server 3. Add the SMS_SLP record. To do this, type the following command, and then press ENTER: add name name=SMS_SLP endchar=1A rectype=0 ip={ip addresses} Note Make sure that you enclose the IP address in braces ("{ }"). 4. Add the MP_SMSSiteCode record. To do this, type the following command, and then press ENTER: add name name=MP_SMSSiteCode endchar=1A rectype=0 ip={ip addresses} Note: Make sure that you enclose the IP address in braces ("{ }"). The SMSSiteCode variable represents the three-character string (letters, integers, or a combination of both) that is the code for the SMS site to which the Management Point belongs. It is displayed in the SMS Administrator Console. 7.Publish MP in DNS: We should publish MP on DNS and make sure MP FQDN is resolvable from the clients in another domain. To publish the default MP in DNS, Site Management -> S01-Primary -> Properties -> Advanced Tab -> publishes the default Management Point in DNS.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I've got a similar setup as to what John mentioned above. 2 Forests, no trusts, firewall between them. Forest A = Primary Central Site (Corporate) Forest B = Primary Child Site (Public Network) I think I've only got 80, 443, and 445 open on the firewalls for MP-MP and WSUS coms. I then used the information I blogged here http://systemscentre.blogspot.com/2008/09/sccm-across-untrusted-forests.html to create/copy the site keys across and setup the senders. All in all, it was easier than I expected to setup and as long as the AD schema's are extended then having the primary sites in each forest negates all the above from Eric and just treat as normal installs. In fact, approach it like that, get both systems working individually and then tackle making them talk as central & child. Cheers, SBMy System Center Blog